security: harden gitignore and add config example files [v1.3.7]

- Expanded .gitignore: root venv, npx_cache, AI metadata (.remember, .claude),
  data/ (SQLite DB), frontend/config/, frontend/public/icons/, certificates,
  docker-compose.override.yml
- Removed backend/config/ldap_config.json from git tracking (contains real IPs/credentials)
- Added backend/config/ldap_config.json.example with placeholder template
- Updated backend/.env.example: added JWT_SECRET_KEY, ALLOWED_ORIGINS, DATA_DIR, LOGS_DIR
This commit is contained in:
Daniel Bedeleanu
2026-04-11 19:37:16 +03:00
parent 6981cadb57
commit 955b1e86e5
5 changed files with 124 additions and 17 deletions

81
.gitignore vendored
View File

@@ -1,11 +1,80 @@
# ============================================================
# TFM aInventory — .gitignore
# ============================================================
# ── Python environments ──────────────────────────────────────
.venv/
backend/venv/
**/__pycache__/
*.pyc
*.pyo
*.pyd
*.egg-info/
dist/
build/
# ── Runtime data (databases, configs w/ secrets) ─────────────
data/
backend/data/
backend/logs/
frontend/logs/
__pycache__/
*.pyc
# LDAP config contains real server IPs and credentials — never commit
# The active config is: backend/config/ldap_config.json (read by the app)
# Duplicate/orphan copies are also excluded:
backend/ldap_config.json
backend/config/ldap_config.json
backend/data/ldap_config.json
# Keep example files tracked:
!backend/config/ldap_config.json.example
# ── Environment files (secrets) ──────────────────────────────
.env
.DS_Store
aInventory-PROD*
aInventory-PROD*.zip
.env.*
!.env.example
backend/.env
backend/.env.*
!backend/.env.example
# Docker environment override file
docker-compose.override.yml
.env.docker
# ── Application logs ─────────────────────────────────────────
logs/
frontend/logs/
# ── Frontend build artifacts ──────────────────────────────────
frontend/.next/
frontend/out/
frontend/build/
frontend/node_modules/
# ── Frontend generated/runtime assets ────────────────────────
# SSL certs and runtime configs (generated by start_server.sh)
frontend/config/
# PWA icons generated at build time
frontend/public/icons/
# ── npm / npx caches ─────────────────────────────────────────
.npx_cache/
scratch/npm_cache/
*.log
npm-debug.log*
yarn-debug.log*
yarn-error.log*
# ── Production bundles (generated by export_prod.sh) ─────────
aInventory-PROD*/
aInventory-PROD*.zip
# ── AI / IDE metadata ─────────────────────────────────────────
.remember/
.claude/
# ── macOS system files ────────────────────────────────────────
.DS_Store
**/.DS_Store
# ── Certificates & keys ──────────────────────────────────────
*.pem
*.key
*.crt
*.cert

View File

@@ -1,10 +1,10 @@
{
"version": "1.3.6",
"last_build": "2026-04-11-1714",
"commit": "ccc69d92",
"version": "1.3.7",
"last_build": "2026-04-11-1936",
"commit": "pending",
"changelog": [
"v1.3.5: Security audit complete. JWT Bearer auth (C-01), rate limiting (H-02), CORS config (M-01), and all code comments translated to English (STRICT ENGLISH POLICY)",
"v1.3.4: Created USER_GUIDE.md for end-users and integrated into export bundle",
"v1.3.3: Added comprehensive project README.md documenting all operational modes"
"v1.3.7: Security hardening — expanded .gitignore (venv, caches, ldap configs, AI metadata), removed backend/config/ldap_config.json from git tracking, added ldap_config.json.example and updated .env.example",
"v1.3.6: Scanner UI redesign (autonomous OCR, countdown), Item Type datalist, save-version automation",
"v1.3.5: Security audit complete. JWT Bearer auth (C-01), rate limiting (H-02), CORS config (M-01), and all code comments translated to English (STRICT ENGLISH POLICY)"
]
}

View File

@@ -1,5 +1,25 @@
# Google Gemini API Key
GEMINI_API_KEY=your_gemini_key_here
# ============================================================
# TFM aInventory — Backend Environment Variables
# Copy this file to .env and fill in real values.
# NEVER commit the real .env file to Git!
# ============================================================
# Anthropic Claude API Key
CLAUDE_API_KEY=your_claude_key_here
# --- AI API Keys ---
# Google Gemini API Key (required for AI label OCR onboarding)
GEMINI_API_KEY=your_gemini_api_key_here
# --- Security ---
# JWT secret key — generate a strong random value for production:
# python3 -c "import secrets; print(secrets.token_urlsafe(64))"
# If not set, an ephemeral key is generated per-run (tokens invalidated on restart).
JWT_SECRET_KEY=change-me-generate-a-secure-random-value
# --- CORS ---
# Comma-separated list of allowed frontend origins
# Example for LAN deployment:
# ALLOWED_ORIGINS=http://192.168.1.100:3000,https://192.168.1.100:3003
ALLOWED_ORIGINS=http://localhost:3000,https://localhost:3003
# --- Data Paths (overridden by start_server.sh / docker-compose) ---
# DATA_DIR=/absolute/path/to/data
# LOGS_DIR=/absolute/path/to/logs

View File

@@ -1 +0,0 @@
{"ldap_enabled": true, "server_uri": "ldap://192.168.84.107:3890", "base_dn": "dc=example,dc=com", "user_template": "cn={username},ou=people,dc=example,dc=com", "groups_dn": "ou=groups", "use_tls": false, "role_mappings": [{"group": "inventory_admins", "role": "admin"}, {"group": "inventory_users", "role": "user"}]}

View File

@@ -0,0 +1,19 @@
{
"_comment": "Copy this file to ldap_config.json and fill in real values. NEVER commit ldap_config.json to Git.",
"ldap_enabled": false,
"server_uri": "ldap://YOUR_LDAP_SERVER_IP:389",
"base_dn": "dc=yourdomain,dc=com",
"user_template": "cn={username},ou=people,dc=yourdomain,dc=com",
"groups_dn": "ou=groups",
"use_tls": false,
"role_mappings": [
{
"group": "inventory_admins",
"role": "admin"
},
{
"group": "inventory_users",
"role": "user"
}
]
}